Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Death to Cookies Konstantin Haase @konstantinhaase
Slide 2
Slide 2 text
story time
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
once upon a time
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
Recipetastic™
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
Bob Alice
Slide 13
Slide 13 text
Bob Alice
Slide 14
Slide 14 text
Bob Alice Eve
Slide 15
Slide 15 text
Bob Alice Mallet
Slide 16
Slide 16 text
problem solved
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
POST /login HTTP/1.1 Host: www.recipetast.ic Content-Length: 44 email=bob@builder.com& password=st0p%20Motion
Slide 19
Slide 19 text
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob ...
Slide 20
Slide 20 text
GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob
Slide 21
Slide 21 text
Guessing
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: pwd=... ...
Slide 26
Slide 26 text
GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=...
Slide 27
Slide 27 text
GET / HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob,pwd=... Basic Auth, just with cookies
Slide 28
Slide 28 text
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob Set-Cookie: token=... ...
Slide 29
Slide 29 text
No content
Slide 30
Slide 30 text
XSS Cross Site Scripting
Slide 31
Slide 31 text
No content
Slide 32
Slide 32 text
can read cookie and send it somewhere
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: user=bob; HttpOnly ...
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
can read (and write) recipes
Slide 37
Slide 37 text
No content
Slide 38
Slide 38 text
sanitize all user input
Slide 39
Slide 39 text
Content Security Policy
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
CSRF Cross Site Request Forgery
Slide 42
Slide 42 text
Is this awesome, y/n?
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice
Slide 45
Slide 45 text
GET /create?… HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice Deadly cookies!
Slide 46
Slide 46 text
No content
Slide 47
Slide 47 text
GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH
Slide 48
Slide 48 text
1 2 PUT / 2 PUT / 2 Repeatable! :) State change! :( Deterministic! :) https://speakerdeck.com/rkh/we-dont-know-http
Slide 49
Slide 49 text
GET, HEAD, OPTIONS, TRACE PUT, DELETE, LINK, UNLINK POST, PATCH
Slide 50
Slide 50 text
No content
Slide 51
Slide 51 text
No content
Slide 52
Slide 52 text
No content
Slide 53
Slide 53 text
POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ...
Slide 54
Slide 54 text
POST /create HTTP/1.1 Host: www.recipetast.ic Cookie: user=alice ... Deadly cookies!
Slide 55
Slide 55 text
No content
Slide 56
Slide 56 text
POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice
Slide 57
Slide 57 text
POST /create HTTP/1.1 Host: www.recipetast.ic Referer: http://awesome- website.com/ Cookie: user=alice [sic]
Slide 58
Slide 58 text
No content
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
Referer is not set for FTP or HTTPS referrers
Slide 61
Slide 61 text
Referer can be spoofed by outdated flash plugin
Slide 62
Slide 62 text
No content
Slide 63
Slide 63 text
POST /create HTTP/1.1 Host: www.recipetast.ic Origin: http://awesome- website.com Cookie: user=alice
Slide 64
Slide 64 text
No content
Slide 65
Slide 65 text
No content
Slide 66
Slide 66 text
Not supported by older browsers
Slide 67
Slide 67 text
Origin can probably be spoofed by outdated flash plugin
Slide 68
Slide 68 text
No content
Slide 69
Slide 69 text
HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: csrf_token=XXX
Slide 70
Slide 70 text
No content
Slide 71
Slide 71 text
No content
Slide 72
Slide 72 text
Cheating Same Origin
Slide 73
Slide 73 text
HTTP/1.1 200 OK Content-Type: application/json
Slide 74
Slide 74 text
An attacker could just load it, right?
Slide 75
Slide 75 text
AJAX can only load from the same origin (or CORS)
Slide 76
Slide 76 text
No content
Slide 77
Slide 77 text
seems harmless
Slide 78
Slide 78 text
In JavaScript, you can override the array constructor.
Slide 79
Slide 79 text
https://github.com/rkh/json-csrf
Slide 80
Slide 80 text
No content
Slide 81
Slide 81 text
Never serve JSON that has an array at top level (or don’t use cookies)
Slide 82
Slide 82 text
No content
Slide 83
Slide 83 text
VBScript did not fully implement Same Origin
Slide 84
Slide 84 text
No content
Slide 85
Slide 85 text
Block Internet Explorer before IE9
Slide 86
Slide 86 text
Block Internet Explorer before IE9
Slide 87
Slide 87 text
require CSRF token for all AJAX requests
Slide 88
Slide 88 text
No content
Slide 89
Slide 89 text
Are we doing good so far?
Slide 90
Slide 90 text
No content
Slide 91
Slide 91 text
Can we trust a cookie?
Slide 92
Slide 92 text
DNS cache poisoning
Slide 93
Slide 93 text
Can we trust the browser?
Slide 94
Slide 94 text
Can we trust browser plugins?
Slide 95
Slide 95 text
No content
Slide 96
Slide 96 text
No content
Slide 97
Slide 97 text
Signed Cookies
Slide 98
Slide 98 text
Encrypted Cookies
Slide 99
Slide 99 text
No content
Slide 100
Slide 100 text
Eaves- dropping
Slide 101
Slide 101 text
encrypting cookies does not help
Slide 102
Slide 102 text
No content
Slide 103
Slide 103 text
No content
Slide 104
Slide 104 text
No content
Slide 105
Slide 105 text
attacker cannot parse cookie from stream
Slide 106
Slide 106 text
No content
Slide 107
Slide 107 text
Or can they?
Slide 108
Slide 108 text
BEAST Browser Exploit Against SSL/ TLS
Slide 109
Slide 109 text
decrypts TLS 1.0 streams via injected JavaScript
Slide 110
Slide 110 text
No content
Slide 111
Slide 111 text
fixed in TLS 1.1
Slide 112
Slide 112 text
force recent browser
Slide 113
Slide 113 text
don’t allow TLS 1.0
Slide 114
Slide 114 text
No content
Slide 115
Slide 115 text
CRIME Compression Ratio Info-leak Made Easy
Slide 116
Slide 116 text
SSL has built-in compression
Slide 117
Slide 117 text
GET /?user=alice HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob GET /?user=bob HTTP/1.1 Host: www.recipetast.ic Cookie: user=bob better compression
Slide 118
Slide 118 text
No content
Slide 119
Slide 119 text
update your browser
Slide 120
Slide 120 text
turn off SSL compression
Slide 121
Slide 121 text
append random number of bytes to response
Slide 122
Slide 122 text
No content
Slide 123
Slide 123 text
BREACH Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext
Slide 124
Slide 124 text
like CRIME, but for the response
Slide 125
Slide 125 text
attack the CSRF token, not the cookie
Slide 126
Slide 126 text
inject something in the response http://www.recipetast.ic/search?q=XXX
Slide 127
Slide 127 text
No content
Slide 128
Slide 128 text
mask CSRF tokens differently in every response (Rails PR pending)
Slide 129
Slide 129 text
don’t use CSRF tokens
Slide 130
Slide 130 text
No content
Slide 131
Slide 131 text
Do you think about all this when you build an app?
Slide 132
Slide 132 text
Next attack vector around the corner?
Slide 133
Slide 133 text
No content
Slide 134
Slide 134 text
Alternatives
Slide 135
Slide 135 text
IP address
Slide 136
Slide 136 text
Session ID in URL
Slide 137
Slide 137 text
No content
Slide 138
Slide 138 text
Custom Authorization header
Slide 139
Slide 139 text
No content
Slide 140
Slide 140 text
Store value in Local Storage
Slide 141
Slide 141 text
Needs JavaScript :(
Slide 142
Slide 142 text
Works well with PJAX/ Turbo Links like setups
Slide 143
Slide 143 text
No content
Slide 144
Slide 144 text
New Browser Concepts?
Slide 145
Slide 145 text
No content
Slide 146
Slide 146 text
@konstantinhaase konstantin@travis-ci.org rkh.im